FriendFinder Networks Inc., the parent company behind a number of the world’s largest adult-centric social and community websites has been the target of a mega-breach, with the compromise of over 412 million accounts’ details.
In what is the biggest breach of 2016, six databases belonging to FriendFinder Networks Inc have been compromised, according to breach notification resource LeakedSource.
Alongside the leaked databases, FriendFinder Networks’ source code and its public/private key-pairs were also compromised during the comprehensive breach. Of the 400+ million accounts, a significant majority of affected accounts stem from Adultfriendfinder.com, with nearly 340 million account details now leaked. Cams.com sees over 62 million accounts affected, while Penthouse and Stripshow each see millions more.
Furthermore, a comb through of the data revealed a significant number of users with emails in the format: email(@)address.com(@)deleted.com. The ‘@deleted.com’ suffix is fundamentally a tag used by AdultFriendFinder following user requests for account cancellation. While the practice is certain to bring further criticism upon FriendFinder’s privacy procedures, there were over 15 million (!) “deleted” accounts also discovered in the data dump.
Altogether, a total of 412,214,295 accounts were compromised. LeakedSource sought to crack the passwords, some of which were encrypted with SHA1 hash with pepper. The other, alarmingly, were in plain text, as obtained from the databases.
Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.
Ultimately, 99 percent of all available passwords are now visible in plaintext, following LeakedSource’s password cracking process.
The resource further revealed that the breach took place after attackers took note of a vulnerability by triggering a Local File Inclusion exploit (LFI). Unlike previous instances when breached data was made available for searching purposes to the public by LeakedSource, the service decided against doing so, this time. The breach is now the biggest on record this year, with the Myspace breach of some 350 million user accounts now second on that list.
Image credit: Pexels.